Checklist
I have read intro post: https://community.passbolt.com/t/about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
Hello everyone, I’m having troubles deploying the application to a K8s cluster using the official helm chart found here.
To be more specific, the Pods of the application start and I can access the web app but can’t login or activate the admin account. Whenever I try to do this I get the following error message:
Something went wrong!
The operation failed with the following error:
The authentication failed.
This happens on the ‘domain_dot_com/setup/install/6709bb5c-f88d-44ab-bd0b-5cb14aa81c8f/aa4a0e2a-0f56-445c-8bd0-069b63006143.json?api-version=v2’ page. When I click on the “Try Again” button I get redirected to the account recovery page where I receive:
Access to this service requires an invitation.
This email is not associated with any approved users on this domain. Please contact your administrator to request an invitation link.
And this is the error message that I found in the logs:
<IP Address> - - [15/Jan/2026:06:54:28 +0000] "GET /setup/user-key-policies/settings.json?api-version=v2&user_id=d830c295-0d12-4a62-88c5-1fe627c0e4d7&token=b7937a7b-8036-4138-90f6-a8f4c889ee3d HTTP/1.1" 200 515 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36"
2026-01-15 06:54:37 error: [Cake\Http\Exception\InternalErrorException] The authentication failed. in /usr/share/php/passbolt/src/Controller/Auth/AuthLoginController.php on line 113
Stack Trace:
- CORE/src/Controller/Controller.php:505
- CORE/src/Controller/ControllerFactory.php:166
- CORE/src/Controller/ControllerFactory.php:141
- CORE/src/Http/BaseApplication.php:362
- CORE/src/Http/Runner.php:86
- CORE/src/Http/Middleware/SecurityHeadersMiddleware.php:274
- CORE/src/Http/Runner.php:82
- APP/Middleware/HttpProxyMiddleware.php:51
- CORE/src/Http/Runner.php:82
- CORE/src/Http/Middleware/CsrfProtectionMiddleware.php:134
- APP/Middleware/CsrfProtectionMiddleware.php:40
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtCsrfDetectionMiddleware.php:55
- CORE/src/Http/Runner.php:82
- APP/Middleware/GpgAuthHeadersMiddleware.php:40
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/Locale/src/Middleware/LocaleMiddleware.php:47
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/MultiFactorAuthentication/src/Middleware/InjectMfaFormMiddleware.php:67
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/MultiFactorAuthentication/src/Middleware/MfaRequiredCheckMiddleware.php:82
- CORE/src/Http/Runner.php:82
- ROOT/vendor/cakephp/authentication/src/Middleware/AuthenticationMiddleware.php:107
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtDestroySessionMiddleware.php:43
- CORE/src/Http/Runner.php:82
- APP/Middleware/SessionAuthPreventDeletedOrDisabledUsersMiddleware.php:47
- CORE/src/Http/Runner.php:82
- CORE/src/Http/Middleware/BodyParserMiddleware.php:162
- CORE/src/Http/Runner.php:82
- APP/Middleware/SessionPreventExtensionMiddleware.php:66
- CORE/src/Http/Runner.php:82
- APP/Middleware/ApiVersionMiddleware.php:46
- CORE/src/Http/Runner.php:82
- APP/Middleware/UuidParserMiddleware.php:52
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtRouteFilterMiddleware.php:47
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtAuthDetectionMiddleware.php:58
- CORE/src/Http/Runner.php:82
- CORE/src/Routing/Middleware/RoutingMiddleware.php:117
- CORE/src/Http/Runner.php:82
- CORE/src/Routing/Middleware/AssetMiddleware.php:79
- CORE/src/Http/Runner.php:82
- APP/Middleware/SslForceMiddleware.php:52
- CORE/src/Http/Runner.php:82
- APP/Middleware/AssertFullBaseUrlMiddleware.php:47
- CORE/src/Http/Runner.php:82
- CORE/src/Error/Middleware/ErrorHandlerMiddleware.php:115
- CORE/src/Http/Runner.php:82
- APP/Middleware/ContentSecurityPolicyMiddleware.php:39
- CORE/src/Http/Runner.php:82
- APP/Middleware/ValidCookieNameMiddleware.php:46
- CORE/src/Http/Runner.php:82
- APP/Middleware/ContainerInjectorMiddleware.php:54
- CORE/src/Http/Runner.php:82
- CORE/src/Http/Runner.php:60
- CORE/src/Http/Server.php:104
- ROOT/webroot/index.php:40
- [main]:
Request URL: /auth/login.json?api-version=v2
Client IP: <IP Address>
The healtcheck indicates a problem with GPG key but I’ve generated a few and it accepts none of them. I generate the key pairs like this (no password):
$: gpg --full-generate-key
gpg (GnuPG) 2.4.4; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(14) Existing key from card
Your selection? 9
Please select which elliptic curve you want:
(1) Curve 25519 *default*
(4) NIST P-384
(6) Brainpool P-256
Your selection?
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: TEST
Email address: test@domain.com
Comment:
You selected this USER-ID:
"TEST <test@domain.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
^MWe need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/B9CC457F9CAFBB7E36300DB9B55CAA65E43FD17F.rev'
public and secret key created and signed.
pub ed25519 2026-01-15 [SC]
B9CC457F9CAFBB7E36300DB9B55CAA65E43FD17F
uid TEST <test@domain.com>
sub cv25519 2026-01-15 [E]
And here’s what the healthcheck returns:
$: kubectl exec -it pod/passbolt-depl-srv-6f5cd46884-qk2jx -n passbolt -- su -c "bin/cake passbolt healthcheck" -s /bin/bash www-data
Defaulted container "passbolt" out of: passbolt, redisproxy, passbolt-depl-srv-init (init)
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell
If you want to have more information about the different checks, please take a look at the documentation: https://www.passbolt.com/docs/admin/server-maintenance/passbolt-api-status/......
-------------------------------------------------------------------------------
Environment
[INFO] Linux passbolt-depl-srv-6f5cd46884-qk2jx 4.19.283-4.ph3 #1-photon SMP Sat Jul 1 02:52:28 UTC 2023 x86_64 GNU/Linux
[PASS] PHP version 8.4.11.
[PASS] PHP version is 8.2 or above.
[PASS] 64-bit architecture system detected.
[INFO] gpg (GnuPG) 2.4.7 / libgcrypt 1.11.0
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory /var/log/passbolt/ and its content are writable.
[WARN] System clock and NTP service information cannot be found.
[HELP] See `timedatectl | grep -i -A 1 clock`. More information: https://www.passbolt.com/docs/hosting/configure/ntp/
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.domain.com/
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in /etc/passbolt/passbolt.php
[HELP] Check the network settings
SSL Certificate
[WARN] SSL peer certificate does not validate.
[WARN] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate.
[HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
SMTP settings
[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[WARN] The SMTP Settings source is: env variables.
[HELP] It is recommended to set the SMTP Settings in the database through the administration section.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled.
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[FAIL] The server OpenPGP key is not set.
[HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[FAIL] The server key fingerprint doesn't match the one defined in /etc/passbolt/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
[FAIL] The server key does not have a valid email id.
[HELP] Edit or generate another key with a valid email id.
[FAIL] The private key cannot be used to decrypt a message
[FAIL] The private key cannot be used to decrypt and verify a message
[FAIL] The public key cannot be used to verify a signature.
Application configuration
[FAIL] Could not connect to passbolt repository to check versions. It is not possible to check if your version is up-to-date.
[HELP] Check the network configuration to allow this script to check for updates.
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema is up to date.
Database
[PASS] The application is able to connect to the database
[PASS] 35 tables found.
[PASS] Some default content is present.
Metadata
[PASS] The server is able to decrypt the metadata private key.
[PASS] Active metadata key found or not required.
[PASS] The server has access to the metadata keys or does not require access to it.
[PASS] The server metadata private key is valid.
[FAIL] 10 error(s) found. Hang in there!
However the ‘/etc/passbolt/passbolt.php’ file doesn’t exist on the Pod and the GPG key is imported successfully:
root@passbolt-depl-srv-6f5cd46884-bkz6q:/usr/share/php/passbolt# gpg --list-keys
gpg: WARNING: unsafe ownership on homedir '/var/lib/passbolt/.gnupg'
/var/lib/passbolt/.gnupg/pubring.kbx
------------------------------------
pub ed25519 2026-01-14 [SC]
<Redacted_Key_ID>
uid [ unknown] <Redacted> (<Redacted>) <email@domain.com>
sub cv25519 2026-01-14 [E]
Also, these are samples from the startup of the passbolt container:
$: kubectl logs -f -c passbolt pod/passbolt-depl-srv-6f5cd46884-c95f5 -n passbolt
gpg: keybox '/var/lib/passbolt/.gnupg/pubring.kbx' created
gpg: /var/lib/passbolt/.gnupg/trustdb.gpg: trustdb created
gpg: key <KEY_ID>: public key " <Redacted>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: key <KEY_ID>: " <Redacted>" not changed
gpg: key <KEY_ID>: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
gpg: error reading key: No public key
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
A JWT key pair was successfully created.
Public key path: /etc/passbolt/jwt/jwt.pem
Secret key path: /etc/passbolt/jwt/jwt.key
Installing passbolt
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Running baseline checks, please wait...
The server key fingerprint doesn't match the one defined in /etc/passbolt/passbolt.php.
Please run ./bin/cake passbolt healthcheck for more information and help.
Running migrations
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Running migration scripts.
-------------------------------------------------------------------------------
using migration paths
- /etc/passbolt/Migrations
using seed paths
using environment default
using adapter pgsql
using database passbolt_db
ordering by creation time
....
All Done. Took 3.6337s
Clearing cake caches
Clearing _cake_model_
Cleared _cake_model_ cache
Clearing _cake_core_
The `_cake_core_` cache configuration does not exist.
Clearing _cake_translations_
Cleared _cake_translations_ cache
Enjoy! ☮
/usr/lib/python3/dist-packages/supervisor/options.py:474: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security.
self.warnings.warn(
2026-01-15 04:54:18,759 CRIT Supervisor is running as root. Privileges were not dropped because no user is specified in the config file. If you intend to run as root, you can set user=root in the config file to avoid this message.
2026-01-15 04:54:18,759 INFO Included extra file "/etc/supervisor/conf.d/cron.conf" during parsing
2026-01-15 04:54:18,759 INFO Included extra file "/etc/supervisor/conf.d/nginx.conf" during parsing
2026-01-15 04:54:18,759 INFO Included extra file "/etc/supervisor/conf.d/php.conf" during parsing
2026-01-15 04:54:18,764 INFO RPC interface 'supervisor' initialized
2026-01-15 04:54:18,764 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2026-01-15 04:54:18,764 INFO supervisord started with pid 1
2026-01-15 04:54:19,767 INFO spawned: 'php-fpm' with pid 139
2026-01-15 04:54:19,768 INFO spawned: 'nginx' with pid 140
2026/01/15 04:54:19 [warn] 140#140: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/snippets/passbolt-ssl.conf:11
2026/01/15 04:54:19 [warn] 140#140: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/snippets/passbolt-ssl.conf:12
[15-Jan-2026 04:54:19] NOTICE: fpm is running, pid 139
[15-Jan-2026 04:54:19] NOTICE: ready to handle connections
[15-Jan-2026 04:54:19] NOTICE: systemd monitor interval set to 10000ms
2026-01-15 04:54:20,866 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2026-01-15 04:54:20,866 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
10.14.5.1 - - [15/Jan/2026:04:54:48 +0000] "GET /healthcheck/status.json HTTP/2.0" 200 220 "-" "kube-probe/1.24"
And this is my values.yaml file:
global:
imageRegistry: "<redacted>"
readinessProbe:
initialDelaySeconds: 30
livenessProbe:
initialDelaySeconds: 30
# Ingress
ingress:
enabled: true
className: "<redacted>"
hosts:
- host: <redacted>
paths:
- path: /
port: http
pathType: ImplementationSpecific
tls:
- autogenerate: false
existingSecret: "<redacted>"
hosts:
- <redacted>
# GPG
gpgExistingSecret: "passbolt-keys"
# JWT
jwtPath: "/data-jwt"
jwtServerPrivate:
valueFrom:
secretKeyRef:
name: passbolt-keys
key: passbolt-jwt-private.key
jwtServerPublic:
valueFrom:
secretKeyRef:
name: passbolt-keys
key: passbolt-jwt-public.pem
jwtExistingSecret: "passbolt-keys"
# Redis
redis:
auth:
enabled: true
sentinel:
enabled: true
extraEnvVars:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: passbolt-keys
key: passbolt-redis-passw
# Postgre
postgresqlDependencyEnabled: false
mariadbDependencyEnabled: false
postgresql:
auth:
username: <redacted>
database: <redacted>
cronJobEmail:
enabled: true
app:
database:
kind: postgresql
cache:
redis:
enabled: true
databaseInitContainer:
enabled: true
# Passbolt
passboltEnv:
extraEnv:
- name: CACHE_CAKE_DEFAULT_PASSWORD
valueFrom:
secretKeyRef:
name: passbolt-keys
key: passbolt-redis-passw
- name: DATASOURCES_DEFAULT_PASSWORD
valueFrom:
secretKeyRef:
name: passbolt-keys
key: passbolt-postgres-passw
- name: DATASOURCES_DEFAULT_URL
value: "<redacted>"
plain:
APP_FULL_BASE_URL: https://<redacted>/
# Necessary to prvent https redirect loop
PASSBOLT_SSL_FORCE: false
EMAIL_DEFAULT_FROM: "no-reply@<redacted>"
EMAIL_TRANSPORT_DEFAULT_HOST: "<redacted>
EMAIL_TRANSPORT_DEFAULT_PORT: "<redacted>"
DATASOURCES_DEFAULT_HOST: "<redacted>"
DATASOURCES_DEFAULT_PORT: "<redacted>"
secret:
DATASOURCES_DEFAULT_USERNAME: "<redacted>"
DATASOURCES_DEFAULT_DATABASE: "<redacted>"
Lastly, I’ve tried removing everything and starting over a couple of times but each time I get to the same problem.
Does anyone have any ideas on the issue?